Clubhouse users should not assume conversations are private, a cybersecurity expert told Bloomberg.- Over the weekend, the app was breached by an unknown user who streamed audio feeds to an external website.
- This came just a week after the app said it was working to protect user data from hackers.
People participating in discussions on the audio-chatroom app Clubhouse should assume they are being recorded, data-privacy expert Alex Stamos told Bloomberg.
Over the weekend - nearly a week after the app said it was working to protect user data from hackers - cybersecurity experts learned that a user was remotely sharing login information, pulling audio and metadata from Clubhouse to an external site.
The unidentified user streamed Clubhouse audio feeds from "multiple rooms" into their own third-party website, a Clubhouse spokesperson told the publication.
The company has permanently banned the user, it added.
"Clubhouse cannot provide any privacy promises for conversations held anywhere around the world," Stamos, director of the Stanford Internet Observatory (SIO) and former Facebook security chief, told Bloomberg.
While the SIO was unable to identify the hackers, Stamos said the perpetrators used JavaScript - the same programming language used to create Clubhouse - in order to breach the system.
Insider contacted Clubhouse for comment, but did not receive a response in time for publication.
On February 12, the SIO released a report into the invite-only app which said user data may be accessible to China's government. In response, Clubhouse said it would review its policies and roll out added encryption in the next "72 hours." It also said it plans to hire an external data security firm to review these changes.
SIO researchers said they found some of Clubhouse's back-end infrastructure, including its audio production and data traffic processing, had been provided by Agora, a Shanghai-based startup with an office in Silicon Valley. Some of this data was being transmitted without encryption.
"Agora would likely have access to users' raw audio, potentially providing access to the Chinese government," the researcher said, and cited an SEC filing in which Agora said it was required to aid the Chinese government in national security and criminal investigations. Conversations about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity, the SIO said.
Agora told Bloomberg it couldn't comment on Clubhouse's security or privacy protocols, but said it was "committed to making our products as secure as we can."
A researcher at the SIO, Jack Cable, told Bloomberg that Clubhouse will likely look into restricting the rooms a user can enter at once, as well as the use of third-party applications in the chatrooms in order to prevent future data breaches.
Clubhouse users have live streamed and shared conversations on outside platforms in the past. In January, viewers hit the app's 5,000 guests per room limit when Tesla CEO
Weeks later, an appearance by Facebook CEO Mark Zuckerberg on the same Clubhouse show caused the app to crash for some users.
The invite-only app has continued to garner public interest since it was created less than a year ago as a way to promote free speech and dynamic conversations online. In the past few months, celebrities, including Paris Hilton, Oprah Winfrey, and Mark Cuban, have flocked to the application.
In January, the app backed by Andreessen Horowitz received a $1 billion valuation.
Clubhouse operates as a real time, audio-only application which allows users to go into individual "rooms" and discuss anything from politics to social justice and pop culture.
The app is currently in beta mode, but in February, Clubhouse CEO Paul Davison told CNBC he plans to open the audio app to all users as soon as possible.